Iran Peppers US Banks With Steady Barrage of Cybertraffic

Banks in the U.S. have again become the target of sophisticated distributed denial of service attacks. The volume of traffic and speed at which they're changing attack vectors point to a state-sponsored source. "Banks are prime targets because they're very high-profile," said Scott Hammack, CEO of Prolexic. "I think the attackers are trying to embarrass and discredit the United States."

By Richard Adhikari
Jan 9, 2013 1:34 PM PT

Iran is behind a wave of distributed denial of service attacks that hit U.S. banks in the past few weeks, according to
a report in The New York Times.

Speculation on the DDoS Attacks

This is the second wave of DDoS attacks against U.S. banks; the first was launched in September.

There's speculation that the hackers are hijacking and using data centers to provide the power that underpins their attacks. Or, they could be creating their own clouds, possibly by remotely hijacking cloud services or creating large networks of individual machines.

Creating large networks of computers -- botnets -- is a tried-and-true tactic used by cybercriminals.

Researchers at
Radware found that the DDoS traffic was coming from data centers around the world. Various cloud services and public Web hosting services had been infected with a malware package variously designated as itsoknoproblembro or Brobot, the researchers found.

Prince of Persia?

"What leads us to believe that there is a government or governments behind this is the scale of the operation," Hammack said.

"The servers that are being used to launch the attacks used to employ polling technology -- they'd sit there and, on a certain time delay, they'd look up the instructions they needed to launch an attack," Hammack continued. "Now, they're being commanded and controlled in real time. Somebody is sitting there and changing attack vectors in the sub-10-minute timeframe."

The U.S. government has not said anything in support of Lieberman's statement, but that's because "the government won't want to show its hand," Hammack contended. However, "there are ways of tracking the source of the attacks" and the U.S. government does track them.

The DHS did not respond to our request to comment for this story.

More on DDoS Attacks Against US Banks

The DDoS attacks began in September, and, so far, a group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" has claimed responsibility. It has also threatened to continue attacking U.S. banks.

The itsoknoproblembro attack has at least 11 different attack signatures, Prolexic said. The attack vectors include
POST,
GET, Transmission Control Protocol and User Datagram Protocol floods with and without proxies. There's also a "Kamikaze" GET flood script that can relaunch automated attacks repeatedly.

In October,
RSA announced the discovery of the
Prinimalka-Gozi Trojan, which launched man-in-the-middle attacks against people who bank online. The people behind the attack were trying to put together an army of cybercriminals to launch a wave of coordinated DDoS attacks against U.S. banks,
RSA said.

The Trojan basically creates a mirror image of PCs it has taken over, Oren Kedem, director of product marketing at
Trusteer, told TechNewsWorld.

"Banks are prime targets because they're very high-profile," Hammack said. "I think the attackers are trying to embarrass and discredit the United States."